The service account ID used to run the web site must have its password changed at least annually.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2235 | WG060 IIS7 | SV-36487r2_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The passwords on such accounts must be changed at least annually. It is a fundamental tenet of security that passwords are not to be null and must not to be set to never expire. |
| STIG | Date |
|---|---|
| IIS 7.0 WEB SERVER STIG | 2014-01-09 |
Details
| Check Text ( C-38468r3_chk ) |
|---|
| 1. Go to Start, Administrative Tools, then Services. 2. Right click on service name World Wide Web Publishing Service, Select Properties, then select the Log On tab. 3. The username next to this account is the web service account ID. If any other user than IUSR is listed, continue to step 4. If the service account IUSR is used to run the service, this is not a finding. 4. Open a command prompt and enter Net User [service account ID], press Enter. 5. Verify the values for Password last set and Password expires to ensure the password has been changed in the past year, and will be required to change within the coming year. |
| Fix Text (F-27578r2_fix) |
|---|
| Configure the service account ID, used to run the web-site, to have its password changed at least annually or use the service account IUSR. |